Jump to content

LuditeTreoPhile

Members
  • Posts

    16
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Things seem to be going great! No search engine redirects, no update or reboot loops so far. Thanks so much for your help! I really appreciate your efforts. Thanks, LTP
  2. So far so good. No redirects that I saw when doing a search on Malware. Here is the log and HOSTS file. A couple of questions for when this is done: 1) Is it likely that there is something still on the machine to alter the Hosts file again? 2) Will I be able to reinstall Trend Micro? 3) Can I add Malwarebytes Anti-Malware as a TSR or will it conflict with Trend Micro? --------------------- Start ComboFix Log ------------------------------------------------ ComboFix 09-04-13.A2 - Cheryl 2009-04-13 20:10.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2430 [GMT -4:00] Running from: c:\documents and settings\Cheryl\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Cheryl\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system32\drivers\etc\hosts . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\etc\hosts . ((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 ))))))))))))))))))))))))))))))) . 2009-04-14 00:17 . 2009-04-14 00:17 12568 ----a-w c:\windows\system32\drivers\PROCEXP113.SYS 2009-04-13 22:19 . 2009-04-13 22:19 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-04-13 21:22 . 2009-04-13 21:38 -------- d-----w C:\HostsXpert 2009-04-13 18:21 . 2009-04-13 18:59 -------- d-----w c:\documents and settings\Cheryl\Local Settings\Application Data\SmartSync Pro 2009-04-13 15:57 . 2009-04-13 15:57 -------- d-----w c:\documents and settings\Cheryl\Interactive 2009-04-13 15:57 . 2009-04-13 15:57 -------- d-----w c:\documents and settings\Cheryl\log 2009-04-12 17:40 . 2009-04-12 17:40 -------- d-----w c:\documents and settings\Cheryl\Application Data\Malwarebytes 2009-04-12 17:40 . 2009-04-12 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-11 21:18 . 2009-04-12 16:26 -------- d-----w c:\documents and settings\Cheryl\.housecall6.6 2009-04-11 18:52 . 2002-08-09 18:38 23323 ----a-w c:\windows\system32\U2S2KXP.SYS 2009-04-11 18:52 . 2002-08-09 18:38 23323 ----a-w c:\windows\system32\drivers\U2S2KXP.SYS 2009-04-11 18:52 . 2002-01-16 20:02 24745 ------w c:\windows\system32\ADM8511.SYS 2009-04-11 18:29 . 2009-04-11 18:52 -------- d-----w c:\program files\Targus 2009-04-11 18:05 . 2002-01-16 20:02 24745 ----a-w c:\windows\system32\dllcache\adm8511.sys 2009-04-11 18:05 . 2002-01-16 20:02 24745 ------w c:\windows\system32\drivers\ADM8511.SYS 2009-04-08 04:30 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat 2009-04-08 03:39 . 2009-04-08 03:40 -------- d-----w C:\1ae88c55a7ef9bbca7b762 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\windows\system32\XPSViewer 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\program files\MSBuild 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\program files\Reference Assemblies 2009-04-08 02:47 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-04-08 02:47 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll 2009-04-08 02:47 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll 2009-04-08 02:47 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll 2009-04-08 02:47 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll 2009-04-08 02:47 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll 2009-04-08 02:47 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-04-08 02:47 . 2009-04-08 02:48 -------- d-----w C:\b9813e1088fe36e8c567 2009-04-08 02:47 . 2009-04-08 03:41 -------- d-----w c:\windows\SxsCaPendDel 2009-04-02 22:04 . 2009-04-02 22:09 -------- d-----w C:\_SMA 2009-03-26 11:22 . 2009-03-26 11:22 -------- d-----w c:\documents and settings\Cheryl\Client Security Solution . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-14 00:16 . 2008-10-06 14:25 40974 ----a-w C:\Log.txt 2009-04-13 17:55 . 2009-03-06 04:13 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-04-11 21:09 . 2008-09-25 00:33 84848 ----a-w c:\documents and settings\Cheryl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-11 21:03 . 2009-04-11 21:03 3248 ----a-w C:\TMPatch.log 2009-04-11 18:52 . 2008-08-05 02:51 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-02 22:12 . 2009-03-05 23:38 -------- d-sh--w c:\documents and settings\All Users\Application Data\410acfb 2009-04-01 13:55 . 2008-09-24 00:35 -------- d-----w c:\documents and settings\Cheryl\Application Data\Lenovo 2009-03-11 02:18 . 2008-09-06 03:29 934792 ------w c:\windows\system32\dllcache\WgaTray.exe 2009-03-11 02:18 . 2008-09-06 03:30 239496 ------w c:\windows\system32\dllcache\wgaLogon.dll 2009-02-27 13:55 . 2008-10-05 03:44 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-27 13:41 . 2009-02-27 13:41 -------- d-----w c:\documents and settings\Cheryl\Application Data\DivX 2009-02-24 02:13 . 2008-11-14 00:57 -------- d-----w c:\documents and settings\Jason\Application Data\Clipdiary 2009-02-13 18:45 . 2008-08-05 03:12 -------- d-----w c:\program files\Google 2009-02-09 11:13 . 2008-10-16 18:54 1846784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-09 11:13 . 2006-04-30 06:55 1846784 ----a-w c:\windows\system32\win32k.sys 2009-01-17 17:22 . 2008-10-18 03:43 1470 ----a-w C:\pdanetbt.txt 2009-01-17 02:35 . 2006-11-08 04:03 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll 2009-01-16 17:54 . 2008-09-27 21:26 84848 ----a-w c:\documents and settings\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-01-14 21:40 . 2008-11-20 21:47 12535 ----a-w C:\hpfr6500.log 2008-09-24 00:22 . 2008-09-24 00:22 62344 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-04-13_15.24.04.17 ))))))))))))))))))))))))))))))))))))))))) . + 2009-04-14 00:15 . 2009-04-14 00:15 16384 c:\windows\Temp\Perflib_Perfdata_394.dat + 2009-04-14 00:15 . 2009-04-14 00:15 16384 c:\windows\Temp\Perflib_Perfdata_2c8.dat + 2009-04-14 00:12 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE - 2009-04-13 19:16 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-27 68856] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-08-25 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-08-25 208896] "TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168] "TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-06 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-06 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-06 137752] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688] "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368] "AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 419376] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976] "cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648] "PDF3 Registry Controller"="c:\program files\ScanSoft\PDF Professional 3.0\\RegistryController.exe" [2005-07-01 106496] "StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440] "TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320] "OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2008-10-17 98304] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "TpShocks"="TpShocks.exe" [2007-11-22 c:\windows\system32\TpShocks.exe] c:\documents and settings\Cheryl\Start Menu\Programs\Startup\ Process Explorer.lnk - c:\program files\Process Explorer\procexp.exe [1619-09-25 3550064] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2006-04-30 135680] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-08-04 50688] Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2008-10-22 172032] Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2008-10-22 217088] HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2008-10-17 471040] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2006-04-30 135680] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 16:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 16:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2007-07-05 17:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"= "c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"= "c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\WINDOWS\\system32\\msiexec.exe"= R3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\DRIVERS\ADM8511.SYS [2002-01-16 24745] S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2007-10-16 103472] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-10-16 19504] S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520] S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2007-04-02 4224] S1 kbfilter;Keyboard Filter Driver; [x] S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2008-08-25 4442] S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-08-25 94208] S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344] S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-01-01 8576] S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2008-03-04 22568] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336] --- Other Services/Drivers In Memory --- *Deregistered* - PROCEXP113 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e404534b-8a73-11dd-b28c-001cbfd56df7}] \Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe . Contents of the 'Scheduled Tasks' folder 2009-04-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 18:54] 2009-03-15 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\PCDR5\pcdr5cuiw32.exe [2008-09-26 19:21] 2009-04-14 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-25 01:45] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100 FF - ProfilePath - c:\documents and settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\2f08ch27.default\ FF - prefs.js: browser.search.selectedEngine - Answers.com FF - component: c:\program files\Lenovo\Client Security Solution\PWM Firefox Extension\components\tvtpwm_moz_xpcom.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 20:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1328) c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\Lenovo\HOTKEY\tphklock.dll - - - - - - - > 'lsass.exe'(1384) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll - - - - - - - > 'explorer.exe'(580) c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll c:\program files\Lenovo\Client Security Solution\css_banner.dll c:\program files\Lenovo\Client Security Solution\csswait.dll c:\windows\system32\cssuserdatadispatcher.dll c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll c:\windows\system32\tvttsp.dll c:\windows\system32\tcsrpc.dll c:\program files\Common Files\Lenovo\tvt_think_res.dll c:\program files\Lenovo\Client Security Solution\css_think_res.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\windows\system32\searchindexer.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\system32\igfxsrvc.exe c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe c:\program files\hp\hpcoretech\comp\hptskmgr.exe c:\program files\Wireless Device\Wireless Keyboard\OSD.exe . ************************************************************************** . Completion time: 2009-04-13 20:20 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-14 00:20 ComboFix2.txt 2009-04-13 23:35 ComboFix3.txt 2009-04-13 19:25 Pre-Run: 9,087,692,800 bytes free Post-Run: 9,072,472,064 bytes free 275 --- E O F --- 2009-04-08 03:48 --------------------- End ComboFix Log ------------------------------------------------ ----------------------------------------- Start HOSTS file ------------------------------------------------- # Copyright
  3. I did setup Process Explorer. I've always had Task Manager run at start up so I could monitor how much CPU was being used. After I installed TM I noticed that the CPU would run up around 100%, particularly when doing a download thru FireFox. I was curious what it was. Task Manager only told me it was System, so I did some research and found I could learn more by looking at the threads through Process Explorer. So I set that to run at start up as well so I could see which processes were taking the most CPU. Mostly just my curiosity to learn more about my computer. Okay, starting the next round of ComboFix momentarily. I saved the CFScript to a text using Notepad. Just curious if I have to add one blank line at the end (I did). I'm going to run it anyway and if it chokes, I'll remove the last blank line. LTP
  4. Here is the latest ComboFix log: ComboFix 09-04-13.A2 - Cheryl 2009-04-13 19:25.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2466 [GMT -4:00] Running from: c:\documents and settings\Cheryl\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-13 22:19 . 2009-04-13 22:19 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-04-13 21:22 . 2009-04-13 21:38 -------- d-----w C:\HostsXpert 2009-04-13 18:21 . 2009-04-13 18:59 -------- d-----w c:\documents and settings\Cheryl\Local Settings\Application Data\SmartSync Pro 2009-04-13 15:57 . 2009-04-13 15:57 -------- d-----w c:\documents and settings\Cheryl\Interactive 2009-04-13 15:57 . 2009-04-13 15:57 -------- d-----w c:\documents and settings\Cheryl\log 2009-04-12 17:40 . 2009-04-12 17:40 -------- d-----w c:\documents and settings\Cheryl\Application Data\Malwarebytes 2009-04-12 17:40 . 2009-04-12 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-11 21:18 . 2009-04-12 16:26 -------- d-----w c:\documents and settings\Cheryl\.housecall6.6 2009-04-11 18:52 . 2002-08-09 18:38 23323 ----a-w c:\windows\system32\U2S2KXP.SYS 2009-04-11 18:52 . 2002-08-09 18:38 23323 ----a-w c:\windows\system32\drivers\U2S2KXP.SYS 2009-04-11 18:52 . 2002-01-16 20:02 24745 ------w c:\windows\system32\ADM8511.SYS 2009-04-11 18:29 . 2009-04-11 18:52 -------- d-----w c:\program files\Targus 2009-04-11 18:05 . 2002-01-16 20:02 24745 ----a-w c:\windows\system32\dllcache\adm8511.sys 2009-04-11 18:05 . 2002-01-16 20:02 24745 ------w c:\windows\system32\drivers\ADM8511.SYS 2009-04-08 04:30 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat 2009-04-08 03:39 . 2009-04-08 03:40 -------- d-----w C:\1ae88c55a7ef9bbca7b762 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\windows\system32\XPSViewer 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\program files\MSBuild 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\program files\Reference Assemblies 2009-04-08 02:47 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-04-08 02:47 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll 2009-04-08 02:47 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll 2009-04-08 02:47 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll 2009-04-08 02:47 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll 2009-04-08 02:47 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll 2009-04-08 02:47 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-04-08 02:47 . 2009-04-08 02:48 -------- d-----w C:\b9813e1088fe36e8c567 2009-04-08 02:47 . 2009-04-08 03:41 -------- d-----w c:\windows\SxsCaPendDel 2009-04-02 22:04 . 2009-04-02 22:09 -------- d-----w C:\_SMA 2009-03-26 11:22 . 2009-03-26 11:22 -------- d-----w c:\documents and settings\Cheryl\Client Security Solution . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 23:31 . 2008-10-06 14:25 40830 ----a-w C:\Log.txt 2009-04-13 17:55 . 2009-03-06 04:13 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-04-11 21:09 . 2008-09-25 00:33 84848 ----a-w c:\documents and settings\Cheryl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-11 21:03 . 2009-04-11 21:03 3248 ----a-w C:\TMPatch.log 2009-04-11 18:52 . 2008-08-05 02:51 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-02 22:12 . 2009-03-05 23:38 -------- d-sh--w c:\documents and settings\All Users\Application Data\410acfb 2009-04-01 13:55 . 2008-09-24 00:35 -------- d-----w c:\documents and settings\Cheryl\Application Data\Lenovo 2009-03-11 02:18 . 2008-09-06 03:29 934792 ------w c:\windows\system32\dllcache\WgaTray.exe 2009-03-11 02:18 . 2008-09-06 03:30 239496 ------w c:\windows\system32\dllcache\wgaLogon.dll 2009-02-27 13:55 . 2008-10-05 03:44 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-27 13:41 . 2009-02-27 13:41 -------- d-----w c:\documents and settings\Cheryl\Application Data\DivX 2009-02-24 02:13 . 2008-11-14 00:57 -------- d-----w c:\documents and settings\Jason\Application Data\Clipdiary 2009-02-13 18:45 . 2008-08-05 03:12 -------- d-----w c:\program files\Google 2009-02-09 11:13 . 2008-10-16 18:54 1846784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-09 11:13 . 2006-04-30 06:55 1846784 ----a-w c:\windows\system32\win32k.sys 2009-01-17 17:22 . 2008-10-18 03:43 1470 ----a-w C:\pdanetbt.txt 2009-01-17 02:35 . 2006-11-08 04:03 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll 2009-01-16 17:54 . 2008-09-27 21:26 84848 ----a-w c:\documents and settings\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-01-14 21:40 . 2008-11-20 21:47 12535 ----a-w C:\hpfr6500.log 2008-09-24 00:22 . 2008-09-24 00:22 62344 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( SnapShot@2009-04-13_15.24.04.17 ))))))))))))))))))))))))))))))))))))))))) . + 2009-04-13 23:31 . 2009-04-13 23:31 16384 c:\windows\Temp\Perflib_Perfdata_390.dat + 2009-04-13 23:31 . 2009-04-13 23:31 16384 c:\windows\Temp\Perflib_Perfdata_2c0.dat + 2009-04-13 23:29 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE - 2009-04-13 19:16 . 2005-10-21 00:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-27 68856] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-08-25 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-08-25 208896] "TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168] "TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-06 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-06 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-06 137752] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688] "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368] "AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 419376] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976] "cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648] "PDF3 Registry Controller"="c:\program files\ScanSoft\PDF Professional 3.0\\RegistryController.exe" [2005-07-01 106496] "StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440] "TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320] "OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2008-10-17 98304] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "TpShocks"="TpShocks.exe" [2007-11-22 c:\windows\system32\TpShocks.exe] c:\documents and settings\Cheryl\Start Menu\Programs\Startup\ Process Explorer.lnk - c:\program files\Process Explorer\procexp.exe [1619-09-25 3550064] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2006-04-30 135680] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-08-04 50688] Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2008-10-22 172032] Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2008-10-22 217088] HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2008-10-17 471040] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2006-04-30 135680] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 16:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 16:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2007-07-05 17:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"= "c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"= "c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\WINDOWS\\system32\\msiexec.exe"= R3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\DRIVERS\ADM8511.SYS [2002-01-16 24745] S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2007-10-16 103472] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-10-16 19504] S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520] S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2007-04-02 4224] S1 kbfilter;Keyboard Filter Driver; [x] S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2008-08-25 4442] S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-08-25 94208] S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344] S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-01-01 8576] S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2008-03-04 22568] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336] --- Other Services/Drivers In Memory --- *Deregistered* - PROCEXP113 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e404534b-8a73-11dd-b28c-001cbfd56df7}] \Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe . Contents of the 'Scheduled Tasks' folder 2009-04-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 18:54] 2009-03-15 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\PCDR5\pcdr5cuiw32.exe [2008-09-26 19:21] 2009-04-13 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-25 01:45] . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-OE - c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100 FF - ProfilePath - c:\documents and settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\2f08ch27.default\ FF - prefs.js: browser.search.selectedEngine - Answers.com FF - component: c:\program files\Lenovo\Client Security Solution\PWM Firefox Extension\components\tvtpwm_moz_xpcom.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 19:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1328) c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\Lenovo\HOTKEY\tphklock.dll - - - - - - - > 'lsass.exe'(1384) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll - - - - - - - > 'explorer.exe'(5952) c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll c:\program files\Lenovo\Client Security Solution\css_banner.dll c:\program files\Lenovo\Client Security Solution\csswait.dll c:\windows\system32\cssuserdatadispatcher.dll c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll c:\windows\system32\tvttsp.dll c:\windows\system32\tcsrpc.dll c:\program files\Common Files\Lenovo\tvt_think_res.dll c:\program files\Lenovo\Client Security Solution\css_think_res.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\windows\system32\searchindexer.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\system32\igfxsrvc.exe c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe c:\program files\Wireless Device\Wireless Keyboard\OSD.exe c:\windows\system32\searchprotocolhost.exe c:\windows\system32\searchfilterhost.exe . ************************************************************************** . Completion time: 2009-04-13 19:35 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-13 23:35 ComboFix2.txt 2009-04-13 19:25 Pre-Run: 9,113,751,552 bytes free Post-Run: 9,104,441,344 bytes free 268 --- E O F --- 2009-04-08 03:48
  5. Should I run it from Safe or Normal Mode? I'll run it as soon as I see your reply. LTP
  6. I was not able to delete it. Something else odd happened. When I started Safe Mode I accidentally used a profile different than the usual one. While using that profile there are no redirects from a Google search of Malwarebytes. When I exited and logged in as the main user the redirect behavior was back again. I was not able to delete hosts from any of the user profiles. I will wait on running ComboFix until you tell me. Here is the "hosts" file converted to text: 89.149.227.223 google.ae 89.149.227.223 google.as 89.149.227.223 google.at 89.149.227.223 google.az 89.149.227.223 google.ba 89.149.227.223 google.be 89.149.227.223 google.bg 89.149.227.223 google.bs 89.149.227.223 google.ca 89.149.227.223 google.cd 89.149.227.223 google.com.gh 89.149.227.223 google.com.gi 89.149.227.223 google.com.hk 89.149.227.223 google.com.jm 89.149.227.223 google.com.ly 89.149.227.223 google.com.mx 89.149.227.223 google.com.my 89.149.227.223 google.com.na 89.149.227.223 google.com.nf 89.149.227.223 google.com.ng 89.149.227.223 google.ch 89.149.227.223 google.com.np 89.149.227.223 google.com.om 89.149.227.223 google.com.pa 89.149.227.223 google.com.pr 89.149.227.223 google.com.qa 89.149.227.223 google.com.sg 89.149.227.223 google.com.tj 89.149.227.223 google.com.tr 89.149.227.223 google.com.tw 89.149.227.223 google.com.ua 89.149.227.223 google.dj 89.149.227.223 google.com.vc 89.149.227.223 google.it.ao 89.149.227.223 google.de 89.149.227.223 google.dk 89.149.227.223 google.dm 89.149.227.223 google.dz 89.149.227.223 google.ee 89.149.227.223 google.fi 89.149.227.223 google.fm 89.149.227.223 google.fr 89.149.227.223 google.ge 89.149.227.223 google.gg 89.149.227.223 google.gm 89.149.227.223 google.gr 89.149.227.223 google.gy 89.149.227.223 google.ht 89.149.227.223 google.ie 89.149.227.223 google.im 89.149.227.223 google.in 89.149.227.223 google.it 89.149.227.223 google.ki 89.149.227.223 google.kz 89.149.227.223 google.la 89.149.227.223 google.li 89.149.227.223 google.lk 89.149.227.223 google.lv 89.149.227.223 google.ma 89.149.227.223 google.md 89.149.227.223 google.ms 89.149.227.223 google.mu 89.149.227.223 google.mv 89.149.227.223 google.mw 89.149.227.223 google.nl 89.149.227.223 google.no 89.149.227.223 google.nr 89.149.227.223 google.nu 89.149.227.223 google.pl 89.149.227.223 google.pn 89.149.227.223 google.pt 89.149.227.223 google.ro 89.149.227.223 google.ru 89.149.227.223 google.rw 89.149.227.223 google.sc 89.149.227.223 google.se 89.149.227.223 google.sh 89.149.227.223 google.si 89.149.227.223 google.sm 89.149.227.223 google.sn 89.149.227.223 google.st 89.149.227.223 google.tl 89.149.227.223 google.tm 89.149.227.223 google.tt 89.149.227.223 google.us 89.149.227.223 google.vg 89.149.227.223 google.vu 89.149.227.223 google.ws 89.149.227.223 google.co.bw 89.149.227.223 google.co.ck 89.149.227.223 google.co.id 89.149.227.223 google.co.il 89.149.227.223 google.co.in 89.149.227.223 google.co.jp 89.149.227.223 google.co.ke 89.149.227.223 google.co.kr 89.149.227.223 google.co.ls 89.149.227.223 google.co.ma 89.149.227.223 google.co.mz 89.149.227.223 google.co.nz 89.149.227.223 google.co.th 89.149.227.223 google.co.tz 89.149.227.223 google.co.ug 89.149.227.223 google.co.uk 89.149.227.223 google.co.za 89.149.227.223 google.co.zm 89.149.227.223 google.co.zw 89.149.227.223 google.com 89.149.227.223 google.com.af 89.149.227.223 google.com.ag 89.149.227.223 google.com.ai 89.149.227.223 google.com.ar 89.149.227.223 google.com.au 89.149.227.223 google.com.bn 89.149.227.223 google.com.br 89.149.227.223 google.com.by 89.149.227.223 google.com.bz 89.149.227.223 google.com.co 89.149.227.223 google.com.cu 89.149.227.223 google.com.ec 89.149.227.223 google.com.et 89.149.227.223 google.com.fj 89.149.227.223 www.google.ae 89.149.227.223 www.google.as 89.149.227.223 www.google.at 89.149.227.223 www.google.az 89.149.227.223 www.google.ba 89.149.227.223 www.google.be 89.149.227.223 www.google.bg 89.149.227.223 www.google.bs 89.149.227.223 www.google.ca 89.149.227.223 www.google.cd 89.149.227.223 www.google.com.gh 89.149.227.223 www.google.com.gi 89.149.227.223 www.google.com.hk 89.149.227.223 www.google.com.jm 89.149.227.223 www.google.com.ly 89.149.227.223 www.google.com.mx 89.149.227.223 www.google.com.my 89.149.227.223 www.google.com.na 89.149.227.223 www.google.com.nf 89.149.227.223 www.google.com.ng 89.149.227.223 www.google.ch 89.149.227.223 www.google.com.np 89.149.227.223 www.google.com.om 89.149.227.223 www.google.com.pa 89.149.227.223 www.google.com.pr 89.149.227.223 www.google.com.qa 89.149.227.223 www.google.com.sg 89.149.227.223 www.google.com.tj 89.149.227.223 www.google.com.tr 89.149.227.223 www.google.com.tw 89.149.227.223 www.google.com.ua 89.149.227.223 www.google.dj 89.149.227.223 www.google.com.vc 89.149.227.223 www.google.it.ao 89.149.227.223 www.google.de 89.149.227.223 www.google.dk 89.149.227.223 www.google.dm 89.149.227.223 www.google.dz 89.149.227.223 www.google.ee 89.149.227.223 www.google.fi 89.149.227.223 www.google.fm 89.149.227.223 www.google.fr 89.149.227.223 www.google.ge 89.149.227.223 www.google.gg 89.149.227.223 www.google.gm 89.149.227.223 www.google.gr 89.149.227.223 www.google.gy 89.149.227.223 www.google.ht 89.149.227.223 www.google.ie 89.149.227.223 www.google.im 89.149.227.223 www.google.in 89.149.227.223 www.google.it 89.149.227.223 www.google.ki 89.149.227.223 www.google.kz 89.149.227.223 www.google.la 89.149.227.223 www.google.li 89.149.227.223 www.google.lk 89.149.227.223 www.google.lv 89.149.227.223 www.google.ma 89.149.227.223 www.google.md 89.149.227.223 www.google.ms 89.149.227.223 www.google.mu 89.149.227.223 www.google.mv 89.149.227.223 www.google.mw 89.149.227.223 www.google.nl 89.149.227.223 www.google.no 89.149.227.223 www.google.nr 89.149.227.223 www.google.nu 89.149.227.223 www.google.pl 89.149.227.223 www.google.pn 89.149.227.223 www.google.pt 89.149.227.223 www.google.ro 89.149.227.223 www.google.ru 89.149.227.223 www.google.rw 89.149.227.223 www.google.sc 89.149.227.223 www.google.se 89.149.227.223 www.google.sh 89.149.227.223 www.google.si 89.149.227.223 www.google.sm 89.149.227.223 www.google.sn 89.149.227.223 www.google.st 89.149.227.223 www.google.tl 89.149.227.223 www.google.tm 89.149.227.223 www.google.tt 89.149.227.223 www.google.us 89.149.227.223 www.google.vg 89.149.227.223 www.google.vu 89.149.227.223 www.google.ws 89.149.227.223 www.google.co.bw 89.149.227.223 www.google.co.ck 89.149.227.223 www.google.co.id 89.149.227.223 www.google.co.il 89.149.227.223 www.google.co.in 89.149.227.223 www.google.co.jp 89.149.227.223 www.google.co.ke 89.149.227.223 www.google.co.kr 89.149.227.223 www.google.co.ls 89.149.227.223 www.google.co.ma 89.149.227.223 www.google.co.mz 89.149.227.223 www.google.co.nz 89.149.227.223 www.google.co.th 89.149.227.223 www.google.co.tz 89.149.227.223 www.google.co.ug 89.149.227.223 www.google.co.uk 89.149.227.223 www.google.co.za 89.149.227.223 www.google.co.zm 89.149.227.223 www.google.co.zw 89.149.227.223 www.google.com 89.149.227.223 www.google.com.af 89.149.227.223 www.google.com.ag 89.149.227.223 www.google.com.ai 89.149.227.223 www.google.com.ar 89.149.227.223 www.google.com.au 89.149.227.223 www.google.com.bn 89.149.227.223 www.google.com.br 89.149.227.223 www.google.com.by 89.149.227.223 www.google.com.bz 89.149.227.223 www.google.com.co 89.149.227.223 www.google.com.cu 89.149.227.223 www.google.com.ec 89.149.227.223 www.google.com.et 89.149.227.223 www.google.com.fj 89.149.227.223 search.yahoo.com 89.149.227.223 www.search.yahoo.com 89.149.227.223 search.live.com 89.149.227.223 search.msn.com # Copyright © 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost Pretty much exactly as was on that Google Help page I linked to earlier. Thanks so much, your help is amazing. This has been one long day for you. LTP
  7. I was able to get into Safe Mode. I'm trying it again. Will follow up shortly. Will also try the two other things you suggested. I missed them in my rush to get into Safe Mode. LTP
  8. Yeah, I know, kind of stupid. I can figure out there's a problem with the hosts file, but I can't figure out Safe Mode. Unfortunately, can't do it in Safe Mode either. After hitting f8 and choosing Safe Mode it gave me a further choice of either XP Professional or Recovery Console. I went into XP Pro. Should I have chosen Recovery Console? LTP
  9. I will try Safe Mode now. How do I boot the machine into Safe Mode? I did a complete uninstall of Trend Micro including making sure the registry key had been deleted. LTP
  10. Read Only is checked and I am unable to uncheck it. When I try to do so I get this error: "An error occurred applying attributes to the file: C:\WINDOWS\system32\drivers\etc\hosts Access is denied." It does not matter how many times I hit the retry button, the error message remains. If I hit the ignore button, the error box closes, but the Read Only attribute is unchanged. LTP
  11. HostsXpert was not able to restore the hosts file. Here was the message: "ERROR: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts" Should I bother running ComboFix? I did a full uninstall of Trend Micro (with reboot) before even downloading HostsXpert. LTP
  12. I have done a manual reboot. I am no longer getting the automatic reboots. I am still being redirected when I do web searches. This is happening whether it is Firefox or IE. It also does not matter if it is Google, Ask.com, MSN, or Yahoo. Here are some examples of redirected URLs. I searched for "Malware" and most engines come up with a link for MalwareBytes. Here are how some resolve (truncated): Firefox - Google: Result: www.malwarebytes.org/mbam.php First Redirect: relevantsearchprovider.net/search.p...y03MKU8sS...... www.stopzilla.com/products/stopzilla/landing.do?type=do. Firefox - Yahoo: Result: www.malwarebytes.org relevantsearchprovider.net/search.php?s=2&q=y03MK.... Second Redirect (happens automatically): http://google.com/ Firefox - MSN: Result: www.malwarebytes.org relevantsearchprovider.net/search.php?s=3q=y03MKU... www.topdaofin.... IE7 - Google: Result: www.malwarebytes.org/mbam.php relevantsearchprovider.net/search.php?s=1&q=y03MKU8s... www.topdaofin... IE7 - Yahoo: Result: www.malwarebytes.org relevantsearchprovider.net/search.php?s=2&=y03MKU8sS.... http://www.topdaofin... With Ask.com, only the sponsored results redirect to bad links (similar to above). The regular results are fine. Also, now that the Unauth Change module is working on Trend Micro, I'm getting a warning about my Hosts file changing every time I click on a browser tab with a search engine open (either Ffx or IE). The warning says: Trend Micro Internet Security (orange warning box) !Your Hosts file has changed! To remove the suspicious address from the Hosts file, click Clean. Click Allow to approve of this change to your Hosts file. Address: www.google.com The address will be whichever search engine I'm using, not just Google. At this point I'm always clicking "Clean." I've taken a quick look at Trend Micro's "Protection Against Web Threats" log and it is showing a single URL trying to be accessed consistent with everyone of the "bad" click-throughs that I performed above to test out the redirects. While I won't include that IP4 URL in this message, I did a search on it. I found a Google Help posting that describes very well the problem I've been having: http://www.google.com/support/forum/p/Web+...7c68d&hl=en It is the posting at the very bottom by YVB on 3/16/09. That describes a hijacked Hosts file that includes the same IP4 URL that my TM has captured in its log. I took a quick look at my HOSTS file and it pretty much matches the one described in the post above. I'm happy to post that here if appropriate. Sorry for the long post, but it was additional information that started coming together as I was writing this reply. Let me know what to try next. I really appreciate the help!
  13. ComboFix log is below. Something interesting happened as I was preparing to run ComboFix. I completely uninstalled Spyware Doctor since I wasn't even aware it was still on the machine. I then manually / temporarily disabled all elements of Trend Micro except for Unauthorized Change Prevention since that was indicated as being already disabled. When I rebooted, the Trend Micro tray icon showed it being disabled so I ran ComboFix. At that point TM's Unauthorized Change popups started going off. So I said "No" to the disclaimer to stop the ComboFix run and then manually / temporarily uninstalled the Unauth Change module. I then ran ComboFix. I'm wonding if Spyware Doctor was preventing TM from properly loading the Unauth Change module? While I hope that piece of information is helpful in figuring out the problem, I am still being redirected by most Google searches. Here's the log: ComboFix 09-04-13.A2 - Cheryl 2009-04-13 15:11.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2378 [GMT -4:00] Running from: c:\documents and settings\Cheryl\Desktop\ComboFix.exe AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) FW: Trend Micro Personal Firewall *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\opuc.dll . ((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-13 18:21 . 2009-04-13 18:59 -------- d-----w c:\documents and settings\Cheryl\Local Settings\Application Data\SmartSync Pro 2009-04-13 16:56 . 2009-03-03 08:34 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys 2009-04-13 16:56 . 2009-03-03 08:34 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys 2009-04-13 16:55 . 2009-04-13 17:02 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro 2009-04-13 16:55 . 2009-04-13 16:56 -------- d-----w c:\program files\Trend Micro 2009-04-13 16:52 . 2009-03-03 08:34 150032 ----a-w c:\windows\system32\drivers\tmcomm.sys 2009-04-13 16:50 . 2009-04-13 16:50 661808 ----a-w c:\windows\system32\UfWSC.cpl 2009-04-13 16:50 . 2009-04-13 16:50 335376 ----a-w c:\windows\system32\drivers\TM_CFW.sys 2009-04-13 16:50 . 2009-04-13 16:50 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys 2009-04-13 15:57 . 2009-04-13 15:57 -------- d-----w c:\documents and settings\Cheryl\Interactive 2009-04-13 15:57 . 2009-04-13 15:57 -------- d-----w c:\documents and settings\Cheryl\log 2009-04-12 17:40 . 2009-04-12 17:40 -------- d-----w c:\documents and settings\Cheryl\Application Data\Malwarebytes 2009-04-12 17:40 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-12 17:40 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-12 17:40 . 2009-04-12 17:40 -------- d-----w c:\program files\Malwarebytes 2009-04-12 17:40 . 2009-04-12 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-11 21:18 . 2009-04-12 16:26 -------- d-----w c:\documents and settings\Cheryl\.housecall6.6 2009-04-11 18:52 . 2002-08-09 18:38 23323 ----a-w c:\windows\system32\U2S2KXP.SYS 2009-04-11 18:52 . 2002-08-09 18:38 23323 ----a-w c:\windows\system32\drivers\U2S2KXP.SYS 2009-04-11 18:52 . 2002-01-16 20:02 24745 ------w c:\windows\system32\ADM8511.SYS 2009-04-11 18:29 . 2009-04-11 18:52 -------- d-----w c:\program files\Targus 2009-04-11 18:05 . 2002-01-16 20:02 24745 ----a-w c:\windows\system32\dllcache\adm8511.sys 2009-04-11 18:05 . 2002-01-16 20:02 24745 ------w c:\windows\system32\drivers\ADM8511.SYS 2009-04-08 04:30 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat 2009-04-08 03:39 . 2009-04-08 03:40 -------- d-----w C:\1ae88c55a7ef9bbca7b762 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\windows\system32\XPSViewer 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\program files\MSBuild 2009-04-08 02:48 . 2009-04-08 02:48 -------- d-----w c:\program files\Reference Assemblies 2009-04-08 02:47 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-04-08 02:47 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll 2009-04-08 02:47 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll 2009-04-08 02:47 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll 2009-04-08 02:47 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll 2009-04-08 02:47 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll 2009-04-08 02:47 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-04-08 02:47 . 2009-04-08 02:48 -------- d-----w C:\b9813e1088fe36e8c567 2009-04-08 02:47 . 2009-04-08 03:41 -------- d-----w c:\windows\SxsCaPendDel 2009-04-02 22:04 . 2009-04-02 22:09 -------- d-----w C:\_SMA 2009-03-26 11:22 . 2009-03-26 11:22 -------- d-----w c:\documents and settings\Cheryl\Client Security Solution . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 19:19 . 2008-10-06 14:25 40311 ----a-w C:\Log.txt 2009-04-13 17:55 . 2009-03-06 04:13 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-04-13 16:50 . 2008-10-31 22:14 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys 2009-04-13 16:50 . 2008-10-31 22:14 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys 2009-04-13 16:50 . 2008-10-31 22:14 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys 2009-04-11 21:09 . 2008-09-25 00:33 84848 ----a-w c:\documents and settings\Cheryl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-11 21:03 . 2009-04-11 21:03 3248 ----a-w C:\TMPatch.log 2009-04-11 18:52 . 2008-08-05 02:51 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-02 22:12 . 2009-03-05 23:38 -------- d-sh--w c:\documents and settings\All Users\Application Data\410acfb 2009-04-01 13:55 . 2008-09-24 00:35 -------- d-----w c:\documents and settings\Cheryl\Application Data\Lenovo 2009-03-11 02:18 . 2008-09-06 03:29 934792 ------w c:\windows\system32\dllcache\WgaTray.exe 2009-03-11 02:18 . 2008-09-06 03:30 239496 ------w c:\windows\system32\dllcache\wgaLogon.dll 2009-02-27 13:55 . 2008-10-05 03:44 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-27 13:41 . 2009-02-27 13:41 -------- d-----w c:\documents and settings\Cheryl\Application Data\DivX 2009-02-24 02:13 . 2008-11-14 00:57 -------- d-----w c:\documents and settings\Jason\Application Data\Clipdiary 2009-02-13 18:45 . 2008-08-05 03:12 -------- d-----w c:\program files\Google 2009-02-09 11:13 . 2008-10-16 18:54 1846784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-09 11:13 . 2006-04-30 06:55 1846784 ----a-w c:\windows\system32\win32k.sys 2009-01-17 17:22 . 2008-10-18 03:43 1470 ----a-w C:\pdanetbt.txt 2009-01-17 02:35 . 2006-11-08 04:03 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll 2009-01-16 17:54 . 2008-09-27 21:26 84848 ----a-w c:\documents and settings\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-01-14 21:40 . 2008-11-20 21:47 12535 ----a-w C:\hpfr6500.log 2008-09-24 00:22 . 2008-09-24 00:22 62344 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-27 68856] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-08-25 331776] "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-08-25 208896] "TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168] "TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-06 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-06 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-06 137752] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688] "LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368] "AMSG"="c:\progra~1\THINKV~1\AMSG\amsg.exe" [2007-02-01 419376] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696] "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696] "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976] "cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648] "PDF3 Registry Controller"="c:\program files\ScanSoft\PDF Professional 3.0\\RegistryController.exe" [2005-07-01 106496] "StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440] "TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320] "OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2008-10-17 98304] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-03-31 995528] "TpShocks"="TpShocks.exe" [2007-11-22 c:\windows\system32\TpShocks.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-04-13 492808] c:\documents and settings\Cheryl\Start Menu\Programs\Startup\ Process Explorer.lnk - c:\program files\Process Explorer\procexp.exe [1619-09-25 3550064] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2006-04-30 135680] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-08-04 50688] Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2008-10-22 172032] Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2008-10-22 217088] HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2008-10-17 471040] Task Manager.lnk - c:\windows\system32\taskmgr.exe [2006-04-30 135680] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2006-09-06 16:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2008-03-17 16:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify] 2007-07-05 17:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli ACGina [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"= "c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"= "c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\WINDOWS\\system32\\msiexec.exe"= S0 Shockprf;Shockprf;c:\windows\System32\DRIVERS\Apsx86.sys [2007-10-16 103472] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2007-10-16 19504] S1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2005-11-08 11520] S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\Drivers\IBMBLDID.sys [2007-04-02 4224] S1 kbfilter;Keyboard Filter Driver; [x] S1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwrif.sys [2008-08-25 4442] S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-08-25 94208] S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-03-03 50192] S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-03-31 497008] S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-04-13 36368] S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-03-31 677128] S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-02-08 569344] S3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\DRIVERS\ADM8511.SYS [2002-01-16 24745] S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-01-01 8576] S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-04-13 335376] S3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\DRIVERS\tp4track.sys [2008-03-04 22568] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336] --- Other Services/Drivers In Memory --- *Deregistered* - PROCEXP113 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e404534b-8a73-11dd-b28c-001cbfd56df7}] \Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe . Contents of the 'Scheduled Tasks' folder 2009-04-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 18:54] 2009-03-15 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job - c:\program files\PCDR5\pcdr5cuiw32.exe [2008-09-26 19:21] 2009-04-13 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-25 01:45] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100 FF - ProfilePath - c:\documents and settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\2f08ch27.default\ FF - component: c:\program files\Lenovo\Client Security Solution\PWM Firefox Extension\components\tvtpwm_moz_xpcom.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 15:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(544) c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\Lenovo\HOTKEY\tphklock.dll - - - - - - - > 'lsass.exe'(656) c:\program files\ThinkPad\ConnectUtilities\ACGina.dll c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll c:\program files\ThinkPad\ConnectUtilities\ACON.dll c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll - - - - - - - > 'explorer.exe'(2100) c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll c:\program files\Lenovo\Client Security Solution\css_banner.dll c:\program files\Lenovo\Client Security Solution\csswait.dll c:\windows\system32\cssuserdatadispatcher.dll c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll c:\windows\system32\tvttsp.dll c:\windows\system32\tcsrpc.dll c:\program files\Common Files\Lenovo\tvt_think_res.dll c:\program files\Lenovo\Client Security Solution\css_think_res.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\program files\Trend Micro\BM\TMBMSRV.exe c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Trend Micro\Internet Security\SfCtlCom.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\windows\system32\TPHDEXLG.exe c:\program files\Lenovo\Rescue and Recovery\rrservice.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe c:\windows\system32\searchindexer.exe c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe c:\program files\Common Files\Lenovo\Logger\logmon.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\program files\Lenovo\ZOOM\TpScrex.exe c:\windows\system32\igfxsrvc.exe c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe c:\program files\Wireless Device\Wireless Keyboard\OSD.exe c:\windows\system32\searchfilterhost.exe c:\windows\system32\searchprotocolhost.exe . ************************************************************************** . Completion time: 2009-04-13 15:25 - machine was rebooted [Cheryl] ComboFix-quarantined-files.txt 2009-04-13 19:24 Pre-Run: 8,500,436,992 bytes free Post-Run: 8,767,143,936 bytes free 290 --- E O F --- 2009-04-08 03:48
  14. Sorry again for the repost - the reboots are worrying me. Contents of the key are below. FYI, Windows did create a new regedit.exe. Here is the registry info: Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Class Name: <NO CLASS> Last Write Time: 11/17/2008 - 10:51 AM Value 0 Name: midimapper Type: REG_SZ Data: midimap.dll Value 1 Name: msacm.imaadpcm Type: REG_SZ Data: imaadp32.acm Value 2 Name: msacm.msadpcm Type: REG_SZ Data: msadp32.acm Value 3 Name: msacm.msg711 Type: REG_SZ Data: msg711.acm Value 4 Name: msacm.msgsm610 Type: REG_SZ Data: msgsm32.acm Value 5 Name: msacm.trspch Type: REG_SZ Data: tssoft32.acm Value 6 Name: vidc.cvid Type: REG_SZ Data: iccvid.dll Value 7 Name: vidc.I420 Type: REG_SZ Data: msh263.drv Value 8 Name: vidc.iv31 Type: REG_SZ Data: ir32_32.dll Value 9 Name: vidc.iv32 Type: REG_SZ Data: ir32_32.dll Value 10 Name: vidc.iv41 Type: REG_SZ Data: ir41_32.ax Value 11 Name: vidc.iyuv Type: REG_SZ Data: iyuv_32.dll Value 12 Name: vidc.mrle Type: REG_SZ Data: msrle32.dll Value 13 Name: vidc.msvc Type: REG_SZ Data: msvidc32.dll Value 14 Name: vidc.uyvy Type: REG_SZ Data: msyuv.dll Value 15 Name: vidc.yuy2 Type: REG_SZ Data: msyuv.dll Value 16 Name: vidc.yvu9 Type: REG_SZ Data: tsbyuv.dll Value 17 Name: vidc.yvyu Type: REG_SZ Data: msyuv.dll Value 18 Name: wavemapper Type: REG_SZ Data: msacm32.drv Value 19 Name: msacm.msg723 Type: REG_SZ Data: msg723.acm Value 20 Name: vidc.M263 Type: REG_SZ Data: msh263.drv Value 21 Name: vidc.M261 Type: REG_SZ Data: msh261.drv Value 22 Name: msacm.msaudio1 Type: REG_SZ Data: msaud32.acm Value 23 Name: msacm.sl_anet Type: REG_SZ Data: sl_anet.acm Value 24 Name: msacm.iac2 Type: REG_SZ Data: C:\WINDOWS\system32\iac25_32.ax Value 25 Name: vidc.iv50 Type: REG_SZ Data: ir50_32.dll Value 26 Name: msacm.l3acm Type: REG_SZ Data: C:\WINDOWS\system32\l3codeca.acm Value 27 Name: wave Type: REG_SZ Data: wdmaud.drv Value 28 Name: midi Type: REG_SZ Data: wdmaud.drv Value 29 Name: mixer Type: REG_SZ Data: wdmaud.drv Value 30 Name: aux Type: REG_SZ Data: wdmaud.drv Value 31 Name: vidc.DIVX Type: REG_SZ Data: DivX.dll Value 32 Name: vidc.yv12 Type: REG_SZ Data: DivX.dll Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server Class Name: <NO CLASS> Last Write Time: 4/30/2006 - 3:09 AM Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP Class Name: <NO CLASS> Last Write Time: 4/30/2006 - 3:09 AM Value 0 Name: wave Type: REG_SZ Data: rdpsnd.dll Value 1 Name: mixer Type: REG_SZ Data: rdpsnd.dll Value 2 Name: MaxBandwidth Type: REG_DWORD Data: 0x56b9 Value 3 Name: wavemapper Type: REG_SZ Data: msacm32.drv Value 4 Name: EnableMP3Codec Type: REG_DWORD Data: 0x1 Value 5 Name: midimapper Type: REG_SZ Data: midimap.dll
  15. Sorry for the newer post, but I see the prior one had fallen off the first page and I think had only been viewed by me. In the meantime the problem is getting worse. My computer is rebooting about every 15 minutes as it is trying to update its antivirus. It is also having the same website redirection that others have described. Below are the scans I was able to post in the first message. Because of the reboots I can't get MBytes to finish a newer scan, and I'm afraid to reconnect it to the internet (this post is from a borrowed computer). Any help would be really appreciated. Original Malwarebytes that caught the infection: Malwarebytes' Anti-Malware 1.36 Database version: 1970 Windows 5.1.2600 Service Pack 3 4/12/2009 4:36:31 PM mbam-log-2009-04-12 (16-36-31).txt Scan type: Full Scan (C:\|) Objects scanned: 287486 Time elapsed: 2 hour(s), 5 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\virus melt (Rogue.VirusMelt) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\Cheryl\Application Data\Virus Melt (Rogue.VirusMelt) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\System Data (Rogue.VirusMelt) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\Cheryl\Local Settings\Temporary Internet Files\Content.IE5\020H860W\SetupReleaseXP[1].exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Documents and Settings\Cheryl\Application Data\Virus Melt\Instructions.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\System Data\mscfg.ini (Rogue.VirusMelt) -> Quarantined and deleted successfully. C:\Documents and Settings\Cheryl\Start Menu\Virus Melt.lnk (Rogue.VirusMelt) -> Quarantined and deleted successfully. C:\Documents and Settings\Cheryl\Application Data\Microsoft\Internet Explorer\Quick Launch\Virus Melt.lnk (Rogue.VirusMelt) -> Quarantined and deleted successfully. Latest Malwarebytes log (clean): Malwarebytes' Anti-Malware 1.36 Database version: 1970 Windows 5.1.2600 Service Pack 3 4/12/2009 6:57:26 PM mbam-log-2009-04-12 (18-57-26).txt Scan type: Quick Scan Objects scanned: 89847 Time elapsed: 6 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hijack This log file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:04:19 PM, on 4/12/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\IPSSVC.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe C:\Program Files\Trend Micro\Internet Security\TmPfw.exe C:\Program Files\Trend Micro\Internet Security\TmProxy.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE c:\program files\lenovo\system update\suservice.exe C:\Program Files\Common Files\Lenovo\Logger\logmon.exe C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe C:\Program Files\Lenovo\TrackPoint\tp4serv.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Lenovo\AwayTask\AwaySch.EXE C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\PROGRA~1\THINKV~1\AMSG\amsg.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Program Files\Lenovo\Client Security Solution\cssauth.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe C:\Program Files\palmOne\Hotsync.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\Process Explorer\procexp.exe C:\Program Files\Trend Micro\Internet Security\UfNavi.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: Java
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.